Re: NTFS inherited permissions bug on W2K

From: Ronald Beekelaar (ronald@BEEKELAAR.COM)
Date: 10/10/01 

Message-ID:  <00d201c15118$fbc41080$0101500a@ampersand.nl>
Date:         Wed, 10 Oct 2001 01:20:21 +0200
From: Ronald Beekelaar <ronald@BEEKELAAR.COM>
Subject:      Re: NTFS inherited permissions bug on W2K
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

> If someone submits a reasonable explanation as to why this is a bug
> then I'll put it through.

I can see a reasonable explanation why this can be considered a bug:

A file has two kinds of *effective* permissions attached to it:
- permissions applied to the file directly
- permissions applied to the file by inheritance from its parent folders.

Windows 2000 implements this by *copying* inherited ACEs to files at
creation time. This can either be at creation time of a new file or at
creation time of a new inheritable permission at some higher parent folder.
This is an implementation decision to optimize access time later. Microsoft
could also have implemented this by *not copying* inherited ACEs, but
instead calculate them at access time. The actualy implementation should not
have mattered to the functionality of inherited permissions.

However, when you move a file with inherited permissions applied to it,
these inherited permissions stay on the file! (This is unlike the inherited
permission behavior in the AD object tree, when you move an object that has
inherited permissions.)

What's worse, the moved file now has permissions that are still marked as
"inherited", but are not on the current parent folders. This situation can
never be created without having moved the file. In fact, as soon as you
change *any* permission on any of the parent folders (or even on the file
itself), the inherited permissions that were still on the file after the
move, will now disappear.

> If a file is moved into a directory, it retains its original permissions.

No, it temporarily retains its original inherited permissions, until you
change some of the new parent folders permissions. This behavior makes
*adding* permissions to folders, result in *removing* totally unrelated
inherited permissions from files downstream. That can easily be seen as a
bug.

I understand that this is the intended behavior though...

Hope that helps,
Ronald Beekelaar

----- Original Message -----
From: "Russ" <Russ.Cooper@RC.ON.CA>
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>
Sent: Tuesday, October 09, 2001 23:46
Subject: Re: NTFS inherited permissions bug on W2K

> Inheritance has always been present in NT. According to;
> http://support.microsoft.com/support/kb/articles/Q102/0/24.asp
>
> which applies to NT 3.1, the move versus copy issue you describe has
always
> been by design since its first release. That it is or isn't the same as
> Netware or Mac OS isn't relevant.
>
> If a file is copied into a directory, it gets the inherited permissions of
> the directory its being copied into.
>
> If a file is moved into a directory, it retains its original permissions.
>
> ACLs in NT have always been displayed as explicit, even if they were
> inherited from the parent directory. The updated ACL editor included in NT
> 4.0 SP4 properly shows inherited ACLs versus explicit, assuming of course
> that you didn't use a pre-SP4 ACL editor to modify ACLs. See;
>
> http://support.microsoft.com/support/kb/articles/Q287/0/24.ASP
>
> for more information.
>
> As I said in private mail rejecting this post initially, I don't see a bug
> here. If someone submits a reasonable explanation as to why this is a bug
> then I'll put it through.
>
> Cheers,
> Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
>

============================================================================
Delivery co-sponsored by Trend Micro, Inc.
============================================================================
BEST-OF-BREED ANTIVIRUS SOLUTION FOR MICROSOFT EXCHANGE 2000
Earn 5% rebate on licenses purchased for Trend Micro ScanMail for
Microsoft Exchange 2000 between October 1 and November 16. ScanMail
ensures 100% scanning of inbound and outbound traffic and provides
remote software management. For program details or to download your
30-day FREE evaluation copy:
http://www.antivirus.com/banners/tracking.asp?si=53&BI;=245&UL;=http://www.ant
ivirus.com/smex2000_rebate

Relevant Pages